A paradigm shift is occurring, regarding APT (the advanced persistent threat, a prolonged and targeted cyber attack in which an intruder gains access to a network and remains undetected for an extended period of time.)
What kind of threat is an APT?
Everyone says it’s external, foreign adversaries or competitors trying to break it. We have to differentiate between the source of the threat and the cause of damage. The source of advanced threats are external. The cause of damage is the insider threat.
Look at the CEO causing damage by opening the attachment at his son’s high school. Think about the laptops or cell phones that executives carried while traveling overseas. Then those laptops were brought back into the company that allowed the organization to be compromised. The cause of damage is the insider threat.
When I say, “insider threat,” I’m not referring to deliberate malicious insiders. I am talking about the person who inadvertently causes harm without even realizing. It’s the accidental insiders that we’re concerned about.
This distinction is important because many companies believe that it’s all external. They will buy all this new gear to deal with all this perimeter security for the external threats coming in. Well guess what? If they’re not worried about what’s happening within their network, environment, and organization, then they’re focusing on the wrong area. So while the source is external, the cause of damage is internal.
Let’s break this down into the fundamental pieces of attack. The good news is the general characteristics of how advanced threats work are common. There’s a set DNA structure of how these advanced threats are going to work and operate. The bad news is this specific implementations are different and unique.The signature action is different each time the actual executable occurs. The actual delivery mechanisms are different. However the general characteristics are the same.
Any threat out there, basically, has these general characteristics.
- They’re going to target an individual
- They’re going to deliver a payload to that system
- They’re going to upload files to the system
- They’re going to run a process and survive a reboot.
Next is longevity. They don’t want to be on your system for an hour. They want to be on your system for 10 years. They’re going to make an outbound connection known as a C2 or C & C, command and control channel. That’s an encrypted channel, leading back out to the Internet, i.e. back to that adversary. They’re then going to perform internal recon and get a pivot deeper and deeper to the network. Basically, they are getting an entry point, setting up what we call a B channel, and going deeper into the environment.
If companies continue to fix the wrong vulnerabilities, they will continue to get breached. Take a closer look at your employees daily practices of checking emails and opening links. Especially for the employees who work from home, find out if they are sharing their work computer with ANYONE. Not that the CEO’s teen daughter would maliciously cause an attack while borrowing his computer… but would you bet your company’s assets that she follows your standard of cyber safety? That’s exactly what you’re doing each time she’s allowed to check her social media on her dad’s work computer.
For more tips on staying safe in cyberspace, keep checking out my blogs or follow me on Facebook, Twitter, or Linked In. For your own company’s security assessment or any other questions or concerns, reach out to me at secure-anchor.com/contact.